Information Note on the Personal Data Processing Requirement of Explicit Provision in Laws
The Personal Data Protection Authority (“Authority“) published the Information Note on the Personal Data Processing Requirements When Processing Is Provided for by the Laws (“Information Note”) on 05/08/2024.
Pursuant to the Law on the Protection of Personal Data No. 6698 (“LPPD”), the processing of personal data is subject to certain conditions. These conditions cannot be expanded or changed. The rule is that personal data cannot be processed without the explicit consent of the data subject.
However, pursuant to Article 5/2-a of LPPD, personal data may be processed without explicit consent if the condition of being provided for by the laws is fulfilled. The Authority has examined the personal data processing requirement of “Provided for in the Laws” regulated in Article 5/2-a of LPPD in accordance with Turkish Law and EU Law.
The right to request the protection of personal data is regulated under Article 20 of the Constitution of the Republic of Türkiye and fundamental rights and freedoms may only be limited by laws. Therefore, the Information Note first distinguishes between legislative and administrative regulation when determining the scope of the exception in Article 5/2-a. Accordingly, personal data may be processed on the basis of the relevant processing condition only if there is an express provision in any law or if an express provision is directed to secondary legislation. For example, employee identification data may be processed based on this data processing condition pursuant to Article 75 of the Labor Law No. 4857. However, if it is not envisaged under any law, processing based solely on decisions of administrative authorities, or any secondary legislation, it is against the Constitution of Republic of Türkiye.
The phrase “express” in the text of the article should be interpreted broadly. For example, the processing of employees’ data, such as bank account numbers and social security numbers, to enable the employer to pay employees’ salaries, would fall within this scope.
The Information Note also discusses the application of the EU General Data Protection Regulation (“GDPR”) and compares it with the Turkish legislation.
Unlike the LPPD, in the GDPR, the data processing condition of “expressly provided for the laws” is not regulated separately; it is evaluated within the scope of “fulfillment of the legal obligation of the data controller”.
In order for the “legal obligation” to be based on the data processing requirement in terms of the application of the GDPR, the data controller must assess whether data processing is necessary to comply with the obligation in question and clearly point to the specific law, decision of a regulatory authority or court that gives rise to the legal obligation. It is also stated that obligations under the primary and secondary legal regulations are accepted within the scope of legal obligation.